Hey folks, I’ve been looking into storing my app’s checkout extensions configuration more securely by using the AppInstallation owned metafield with the $app namespace instead of using Shop owned metafield with regular namespace.
After exploring the useAppMetafields hook, I found that it only supports specific owner types:
Unfortunately, AppInstallation isn’t in that list, so it doesn’t look like this is currently an option.
Quick question for the team: is supporting AppInstallation metafields in checkout extensions something on the roadmap? Storing sensitive configuration data in the Shop owned metafield feels less than ideal from a security standpoint. For now, I think we’ll just make requests to our own server instead.
Hey @Patrick_Jakubik You’re right that useAppMetafields doesn’t currently support AppInstallation as an owner type - only Shop, Product, Customer, Variant, Company, CompanyLocation, and Cart are supported. We’ve got a full list of supported types in the Checkout UI Extensions Metafields API documentation here.
The approach I’d recommend for this would be using Shop-owned metafields with the $app namespace prefix. I definitely understand the security concern though, but I think the app owned namespace should work. The reserved namespace (which becomes app--{your-app-id}) does have some protection since merchants cannot edit these via the Admin UI, and only your app can write to this namespace via authenticated GraphQL calls (unless configured to allow write access).
Though, for truly sensitive info, I think your idea to validate the data server-side is a good one. Let me know if I can clarify anything here, hope this helps!
For AppInstallation support in app metafields, it’s not currently on the roadmap, but I’m happy to put through a feature request for you for sure. Would your use case essentially just be making it so that the info can’t be read/written by merchants?
You’re right that